On 4/4/2002 12:14 PM, Tim Hunt apparently wrote exactly the following:
> Yes: the thought of someone doing
>
> <form>
> <input type="file" value="c:\windows\outlook.pst" style="float: right;
> width: 0; height 0; margin 0;">
>
> <!-- legitimate stuff -->
> </form>
>
> (hope I get that right) is rather unpleasant.
I just changed it into
<form>
<input type="file" value="c:\windows\outlook.pst" style="float: right;
width: 0; height: 0; margin: 0; border: 0;">
<!-- legitimate stuff -->
</form>
(e.g. added some missing colons and a "border: 0;" - in your version, it
still showed a "Search..." button and a vertical leftover of an input box)
And IE shows *nothing* now! This seems like a major security risk to me.
Can some Perl guru write a quick script to test if this actually works?
Mozilla shows it as tiny button, while Opera absolutely ignores the
stylesheet and displays it as normal. This might also be due to the
incomplete nature of this HTML file though.
> [outlook.pst is where all your email gets stored if you use outlook on
> windows 95/98/Me.]
>
> However it is not clear to me that disabling CSS on form elements is the
> best way of protecting gainst this.
I don't think so either.
>> In this special case (a styled input type="file" plus a predefined
>> value), we should alert the user.
> I think that the best solution would be to issue an alert if the user
> submits the form, if the submitted value of the <input type="file">
> equals the default value. Something like "Submitting this form will
> cause the file <filename> to be uploaded. Are you sure?" [continue]
> [cancel]
"The page you are currently viewing requests to upload <filename> from
your computer. This poses a major security risk. Are you sure you wish
to continue?"
--
Regards,
S�ren Kuklau ('Chucker')
chucker-AT-web-DOT-de
